Ping Federate - Unusual mail domain

Back


Id	dc79de7d-2590-4852-95fb-f8e02b34f4da
Rulename	Ping Federate - Unusual mail domain.
Description	Detects unusual mail domain in authentication requests.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	PingFederate PingFederateAma
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml
Version	1.0.1
Arm template	dc79de7d-2590-4852-95fb-f8e02b34f4da.json

KQL

let known_domains = 
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)
| extend m_domain = extract(@'@(.*)', 1, email)
| where isnotempty(m_domain)
| summarize makeset(m_domain);
PingFederateEvent
| extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)
| extend m_domain = extract(@'@(.*)', 1, email)
| where isnotempty(m_domain)
| where m_domain !in (known_domains)
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr

YAML

name: Ping Federate - Unusual mail domain.
query: |
  let known_domains = 
  PingFederateEvent
  | where TimeGenerated between (ago(14d) .. (1d))
  | extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)
  | extend m_domain = extract(@'@(.*)', 1, email)
  | where isnotempty(m_domain)
  | summarize makeset(m_domain);
  PingFederateEvent
  | extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)
  | extend m_domain = extract(@'@(.*)', 1, email)
  | where isnotempty(m_domain)
  | where m_domain !in (known_domains)
  | extend AccountCustomEntity = DstUserName
  | extend IpCustomEntity = SrcIpAddr  
description: |
    'Detects unusual mail domain in authentication requests.'
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
  - PingFederateEvent
  connectorId: PingFederate
- dataTypes:
  - PingFederateEvent
  connectorId: PingFederateAma
queryPeriod: 14d
queryFrequency: 1h
status: Available
triggerThreshold: 0
id: dc79de7d-2590-4852-95fb-f8e02b34f4da
triggerOperator: gt
version: 1.0.1
relevantTechniques:
- T1078
severity: Medium
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IpCustomEntity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dc79de7d-2590-4852-95fb-f8e02b34f4da')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dc79de7d-2590-4852-95fb-f8e02b34f4da')]",
      "properties": {
        "alertRuleTemplateName": "dc79de7d-2590-4852-95fb-f8e02b34f4da",
        "customDetails": null,
        "description": "'Detects unusual mail domain in authentication requests.'\n",
        "displayName": "Ping Federate - Unusual mail domain.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateUnusualMailDomain.yaml",
        "query": "let known_domains = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)\n| extend m_domain = extract(@'@(.*)', 1, email)\n| where isnotempty(m_domain)\n| summarize makeset(m_domain);\nPingFederateEvent\n| extend email = extract(@'email=(.*?),.*', 1, AdditionalExtensions)\n| extend m_domain = extract(@'@(.*)', 1, email)\n| where isnotempty(m_domain)\n| where m_domain !in (known_domains)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}